The long-awaited UK data transfer mechanism has been published by the Information Commissioner’s Office (ICO), resolving the question of how international transfers of personal data from the UK will be handled post-Brexit. As a refresher, the European Commission published four new versions of the EU standard contractual clauses (SCCs) in June 2021. However, these new 2021 SCCs did not apply to exports of personal data from the UK because the UK was no longer part of the EU This created quite the headache and doubled the paperwork for multinational companies, many of whom temporarily were forced to rely on using both the older 2010 SCCs reformatted by the UK ICO to be UK-centric, plus the new 2021 SCCs, which were required for all new contracts entered into after September 2021 involving transfers of EU personal data to most countries, including the United States.
The UK’s solution is the one hoped for – companies now need only add a UK-approved addendum to existing 2021 EU SCCs to govern UK data transfers to third countries not considered to provide “adequate” data protection. For UK-only personal data exports, the ICO has issued stand-alone SCCs, called the International Data Transfer Agreement (IDTA). Unlike the EU SCCs, which have four versions depending on the parties’ relationships, the UK’s IDTA is one lengthy document. While the IDTA won’t be finalized until March 21, 2022, it is expected to take effect without any revisions.
Companies who have already entered into the UK version of the 2010 SCCs can continue to rely on those SCCs for covered data transfers until March 21, 2024, as long as the data processing operations remain the same, and the exporter has adopted measures to address concerns raised in the European Court of Justice’s Schrems 2 decision in July 2020. That decision struck down one of the primary data transfer mechanisms, the EU-U.S. Privacy Shield, finding that laws in the U.S. that permitted government access to personal data of EU residents rendered the U.S. inadequate to protect such data. In November 2020, the European Data Protection Board issued guidance on what additional measures needed to be taken to attempt to address the concerns of the European court, including an analysis of the recipient country’s laws. That analysis made its way into the June 2021 SCCs in the form of a transfer impact assessment (TIA).
While it’s hard to keep up with the ever-changing rules, regulations, and guidance, companies can and should consider the following:
- For multinational companies, ensure your intracompany data transfer agreements (e.g., agreements from your EU and UK entities to your U.S. entity) are updated with the 2021 SCCs and the new UK addendum, or the IDTA, as appropriate.
- Conduct a TIA of the recipient country’s laws that would permit government and law enforcement access to personal data.
- Take measures to limit the amount of EU/UK personal data transferred and stored outside those jurisdictions to the minimum necessary.
- Implement a law enforcement request policy setting forth the way the U.S. entity will respond to subpoenas and warrants for personal data of individuals in the EU/UK to attempt to minimize the amount of data produced in response and provide notice to the EU/UK data subjects where feasible.
- Review your third party vendor agreements to determine if SCCs or the IDTA should be part of those agreements. If so, utilize the newer versions. Remember that large vendor may have issued form SCCs on their website which you can download and sign and append to your contracts.